Authorization Flaw in Pagelayer Website Builder Plugin for WordPress
CVE-2026-2470

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Page Builder: Pagelayer – Drag And Drop Website Builder
Vendor: CVE Published:; 13 June 2026

What is CVE-2026-2470?

The Pagelayer plugin, used for drag-and-drop website building in WordPress, contains an Incorrect Authorization vulnerability that affects all versions up to and including 2.0.9. This flaw arises from the pagelayer_save_content AJAX handler, which improperly allows authenticated users to persist metadata of contact templates on posts, including those that are pending. Specifically, users with basic post-edit capabilities can exploit this weakness since the pagelayer_contact_submit endpoint accesses user-controlled post/form identifiers without proper context checks. Consequently, this can enable authenticated attackers, even with Contributor-level access, to set arbitrary configurations for contact form templates, which can be submitted without authentication. This vulnerability can potentially be combined with other issues, such as CVE-2026-2442, to amplify the risk and provide greater control over how outbound emails are handled, making it essential for users to apply immediate updates.

Affected Version(s)

Page Builder: Pagelayer – Drag and Drop website builder 0 <= 2.0.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3506022/page...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 13, 2026
Vulnerability Reserved
Feb 13, 2026

Credit

Drew Webber

CVE-2026-2470 Data

JSON